Bump CI VMs to ones with netavark 1.10.3

And, runc-1.12 broke our seccomp e2e tests (runc now calls getcwd(), which is the dummy syscall blocked for testing seccomp). Switch to blocking link() instead. Also, disable v4.1.0 upgrade tests. They're hanging, and I have no idea why, and have wasted most of a day debugging. Fixes: #21546 Signed-off-by: Ed Santiago <santiago@redhat.com>
2025-06-30 15:49:03 +08:00 · 2024-02-12 06:50:35 -07:00
parent f7f4d1064d
commit 5eb801a562
4 changed files with 31 additions and 24 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -33,7 +33,7 @@ env:
    DEBIAN_NAME: "debian-13"

    # Image identifiers
-    IMAGE_SUFFIX: "c20240201t143038z-f39f38d13"
+    IMAGE_SUFFIX: "c20240212t122113z-f39f38d13"


    # EC2 images
@ -1010,8 +1010,8 @@ upgrade_test_task:
        - build
        - local_system_test
    matrix:
-        - env:
-              PODMAN_UPGRADE_FROM: v4.1.0
+#        - env:
+#              PODMAN_UPGRADE_FROM: v4.1.0
        - env:
              PODMAN_UPGRADE_FROM: v4.8.0
    gce_instance: *standardvm
--- a/test/e2e/play_kube_test.go
+++ b/test/e2e/play_kube_test.go
@ -1248,7 +1248,7 @@ var (
 	defaultConfigMapName  = "testConfigMap"
 	defaultSecretName     = "testSecret"
 	defaultPVCName        = "testPVC"
-	seccompPwdEPERM       = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+	seccompLinkEPERM      = []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
 	// CPU Period in ms
 	defaultCPUPeriod = 100
 	// Default secret in JSON. Note that the values ("foo" and "bar") are base64 encoded.
@ -3016,14 +3016,14 @@ var _ = Describe("Podman kube play", func() {
 	It("seccomp container level", func() {
 		SkipIfRemote("podman-remote does not support --seccomp-profile-root flag")
 		// expect kube play is expected to set a seccomp label if it's applied as an annotation
-		jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM)
+		jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM)
 		if err != nil {
 			GinkgoWriter.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}

 		ctrAnnotation := "container.seccomp.security.alpha.kubernetes.io/" + defaultCtrName
-		ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil))
+		ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noneShallPass"}))

 		pod := getPod(withCtr(ctr), withAnnotation(ctrAnnotation, "localhost/"+filepath.Base(jsonFile)))
 		err = generateKubeYaml("pod", pod, kubeYaml)
@ -3042,20 +3042,20 @@ var _ = Describe("Podman kube play", func() {
 		logs := podmanTest.Podman([]string{"logs", ctrName})
 		logs.WaitWithDefaultTimeout()
 		Expect(logs).Should(Exit(0), "podman logs %s", ctrName)
-		Expect(logs.ErrorToString()).To(ContainSubstring("getcwd: Operation not permitted"))
+		Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noneShallPass: Operation not permitted"))
 	})

 	It("seccomp pod level", func() {
 		SkipIfRemote("podman-remote does not support --seccomp-profile-root flag")
 		// expect kube play is expected to set a seccomp label if it's applied as an annotation
-		jsonFile, err := podmanTest.CreateSeccompJSON(seccompPwdEPERM)
+		jsonFile, err := podmanTest.CreateSeccompJSON(seccompLinkEPERM)
 		if err != nil {
 			GinkgoWriter.Println(err)
 			Skip("Failed to prepare seccomp.json for test.")
 		}
 		defer os.Remove(jsonFile)

-		ctr := getCtr(withCmd([]string{"pwd"}), withArg(nil))
+		ctr := getCtr(withCmd([]string{"ln"}), withArg([]string{"/etc/motd", "/noPodsShallPass"}))

 		pod := getPod(withCtr(ctr), withAnnotation("seccomp.security.alpha.kubernetes.io/pod", "localhost/"+filepath.Base(jsonFile)))
 		err = generateKubeYaml("pod", pod, kubeYaml)
@ -3074,7 +3074,7 @@ var _ = Describe("Podman kube play", func() {
 		logs := podmanTest.Podman([]string{"logs", podName})
 		logs.WaitWithDefaultTimeout()
 		Expect(logs).Should(Exit(0))
-		Expect(logs.ErrorToString()).To(ContainSubstring("Operation not permitted"))
+		Expect(logs.ErrorToString()).To(ContainSubstring("ln: /noPodsShallPass: Operation not permitted"))
 	})

 	It("with pull policy of never should be 125", func() {
--- a/test/e2e/run_networking_test.go
+++ b/test/e2e/run_networking_test.go
@ -24,7 +24,6 @@ var _ = Describe("Podman run networking", func() {
 	hostname, _ := os.Hostname()

 	It("podman verify network scoped DNS server and also verify updating network dns server", func() {
-		Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02")
 		// Following test is only functional with netavark and aardvark
 		SkipIfCNI(podmanTest)
 		net := createNetworkName("IntTest")
@ -72,8 +71,6 @@ var _ = Describe("Podman run networking", func() {
 	})

 	It("podman network dns multiple servers", func() {
-		Skip("FIXME: needs netavark > 1.10.2, available >= 2024-02-02")
-
 		// Following test is only functional with netavark and aardvark
 		SkipIfCNI(podmanTest)
 		net := createNetworkName("IntTest")
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@ -361,8 +361,8 @@ var _ = Describe("Podman run", func() {
 		Expect(conData[0].Config.Annotations).To(Not(HaveKey("io.podman.annotations.init")))
 	})

-	forbidGetCWDSeccompProfile := func() string {
-		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"getcwd","action":"SCMP_ACT_ERRNO"}]}`)
+	forbidLinkSeccompProfile := func() string {
+		in := []byte(`{"defaultAction":"SCMP_ACT_ALLOW","syscalls":[{"name":"link","action":"SCMP_ACT_ERRNO"}]}`)
 		jsonFile, err := podmanTest.CreateSeccompJSON(in)
 		if err != nil {
 			GinkgoWriter.Println(err)
@ -517,17 +517,27 @@ var _ = Describe("Podman run", func() {
 	})

 	It("podman run seccomp test", func() {
-		session := podmanTest.Podman([]string{"run", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
-		session.WaitWithDefaultTimeout()
-		Expect(session).To(ExitWithError())
-		Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
-	})
+		secOpts := []string{"--security-opt", strings.Join([]string{"seccomp=", forbidLinkSeccompProfile()}, "")}
+		cmd := []string{ALPINE, "ln", "/etc/motd", "/linkNotAllowed"}

-	It("podman run seccomp test --privileged", func() {
-		session := podmanTest.Podman([]string{"run", "--privileged", "--security-opt", strings.Join([]string{"seccomp=", forbidGetCWDSeccompProfile()}, ""), ALPINE, "pwd"})
+		// Without seccomp, this should succeed
+		session := podmanTest.Podman(append([]string{"run"}, cmd...))
 		session.WaitWithDefaultTimeout()
-		Expect(session).To(ExitWithError())
-		Expect(session.ErrorToString()).To(ContainSubstring("Operation not permitted"))
+		Expect(session).To(ExitCleanly())
+
+		// With link syscall blocked, should fail
+		cmd = append(secOpts, cmd...)
+		session = podmanTest.Podman(append([]string{"run"}, cmd...))
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(Exit(1))
+		Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
+
+		// ...even with --privileged
+		cmd = append([]string{"--privileged"}, cmd...)
+		session = podmanTest.Podman(append([]string{"run"}, cmd...))
+		session.WaitWithDefaultTimeout()
+		Expect(session).To(Exit(1))
+		Expect(session.ErrorToString()).To(ContainSubstring("ln: /linkNotAllowed: Operation not permitted"))
 	})

 	It("podman run seccomp test --privileged no profile should be unconfined", func() {